By Mackenzie Gryder, with Ben Taylor
This blog is part of Gate 15’s Summer of Security: Ransomware Resilience Series, highlighting the essential considerations for organizational leaders and cybersecurity professionals.
The Importance of Proper Communication
Clear communication during a ransomware incident is critical not just for internal teams but also to engage vital external stakeholders. When systems are locked and tensions are high, confusion can make matters worse. Establishing a communication plan before an attack occurs ensures the right messages reach the right people quickly. Knowing who to inform about the incident, at what time, and what information they need to know can not only save time during the response, it can also prevent costly missteps.
Transparency is Best Policy for Norsk Hydro
In March 2019, Norsk Hydro, a global aluminum producer, experienced a significant ransomware attack involving the LockerGoga malware, which encrypted files across its network and disrupted operations in over 40 countries. The company swiftly activated its incident response plan, opting not to pay the ransom and instead relying on robust data backups to restore systems. Hydro’s transparent communication strategy included daily press briefings and regular updates to stakeholders, earning praise for its openness during the crisis. Despite the operational challenges, particularly in its Extruded Solutions division, the company’s preparedness and decisive actions minimized long-term impacts and set a benchmark for effective ransomware response.
Digging the Hole a Little Deeper
On March 9, 2023, the U.S. Securities and Exchange Commission (SEC) announced that Blackbaud Inc. agreed to pay a $3 million civil penalty to settle charges related to misleading disclosures following a 2020 ransomware attack. Blackbaud, a South Carolina-based software provider for nonprofit organizations, initially claimed in a July 2020 announcement that no sensitive donor information such as bank account details or Social Security numbers had been accessed by the attacker. However, within days of that announcement, internal personnel discovered that such sensitive data had, in fact, been exfiltrated. This critical information was not communicated to senior management responsible for public disclosures due to failures in the company’s disclosure controls and procedures. As a result, Blackbaud filed a quarterly report with the SEC in August 2020 that omitted this material information. The SEC determined that Blackbaud violated multiple provisions of federal securities laws, including Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934. Although Blackbaud neither admitted nor denied the findings, the case highlights the importance of robust internal controls and timely, accurate communication to investors about cybersecurity breaches.
Examples of when communication failures lead to legal consequences
| Organization | Misstep | Regulatory Action |
| Uber | Concealed breach, false “bug bounty” | $148M state settlement; CISO convicted |
| SolarWinds | Misleading SEC filings | SEC civil fraud charges |
| Yahoo | Delayed disclosure | $35M SEC fine; $80M investor settlement |
| Equifax | Poor public messaging; inside trading | $425M settlement; criminal charges |
| First American | Failed to inform execs of risk | SEC disclosure control charges |
| T-Mobile | Downplayed breach | $350M class-action settlement |
Communication Preparedness
Ensuring that communication strategies are incorporated into ransomware plans is a proactive step that can significantly reduce chaos and confusion during an incident. Below are considerations that organizations will want to consider as they develop their communications strategy.
Communications Preparedness
- Clearly identify roles and responsibilities in the plan:
- Identify primary Incident Management Team (IMT) members, as well as other departments that may need to be involved if the response grows in complexity.
- Assign specific individuals or teams to manage executive communications, employee updates, and cross-departmental coordination.
- Identify alternates for each role to ensure continuity if primary personnel are unavailable.
- Ensure the organization has secondary and tertiary communications methods:
- Systems should be secure and segmented from primary communications platforms.
- Prepare non-digital backup methods in case of system failure.
- Establish relationships ahead of time:
- Make contact with appropriate law enforcement personnel from your area of operations during steady state. CISA Regions and FBI Field Offices.
Internal Communications
- Be clear and direct with information requirements:
- Set reporting timelines and expectations.
- Ensure senior executives and board members maintain consistent messaging developed by the IMT.
- Internal Coordination:
- Create a shared dashboard or briefing hub to unify messaging across the IMT.
- Consider organizational cascading impacts:
- What additional team members may need to be engaged in the IMT?
- What messages needs to go to non-essential staff who may be losing functionality to work systems?
- Ensure a record keeper is designated to help archive valuable insights for the after action review, as well as for potential litigation related to the incident.
External Communications
- Understand when to engage law enforcement and regulatory agencies:
- Designate a law enforcement liaison (often CISO, GC, or Compliance Officer) with backup contact.
- Identify applicable regulatory bodies for your industry (e.g., SEC, HHS, FTC, OFAC, state AGs).
- Engage in internal discussions on incident materiality thresholds during steady state to allow for the smoothest response.
- Insurance:
- Understand the policy to properly set expectation.
- Ensure your preferred external partners are included on the insurance panel.
- Incident Response Vendors:
- Ensure response times are properly negotiated to meet leadership expectations.
- Be prepared with potential backup vendors in the event the primary cannot respond with the necessary urgency.
- Information sharing partnerships:
- Engage with trusted information sharing networks to both receive and contribute timely threat intelligence like indicators of compromise (IOCs) and tactics, techniques & procedures (TTPs).
- Codifying these relationships, and their benefits, during steady state operations can help alleviate legal concerns to sharing.
- Media Monitoring:
- Review media mentions to quickly respond to any potential misinformation that may get into the public realm.
This level of engagement with regulators, law enforcement, and trusted partners isn’t just a checkbox it’s part of a resilient communication ecosystem. In our next post, we’ll explore how information sharing through Information Sharing and Analysis Centers (ISACs) and cross-sector collaboration can dramatically improve preparedness and speed of response during ransomware events.
Insights from our Weekly Ransomware Report. Each week we publish our Weekly Ransomware Report (along with other all-hazards reports) through Gate 15’s Resilience and Intelligence Portal (GRIP). Contact us if you are interested in receiving the full report. Highlights from this week include:
- Most Active Threat Actors (victim number): Interlock (4), Night Spire (4), Kill Security (3)
- M&S hackers sent abuse and ransom demand directly to CEO. The Marks & Spencer hackers sent an abuse-filled email directly to the retailer’s boss gloating about what they had done and demanding payment.
- New Honeywell 2025 Cyber Threat Report reveals ransomware surges 46 percent with OT systems as key targets. New research from Honeywell points to sharp and growing ransomware threats against industrial operators and manufacturers.
Coming Up Next: Stronger Together: The Power of Information Sharing. Out next Blog will look at Sharing Indicators of Compromise (IOCs) and Tactics, Techniques & Procedures (TTPs) with industry peers and authorities can assist incident response, as well as boost collective resilience. It can help assist in your own response, as well as identify potential emerging threats in the industry.
Gate 15 has worked across the Critical Infrastructure environment to develop cybersecurity plans and tabletop exercises for trade associations and owner/operators. We are pleased to offer 10% off ransomware exercises to new clients that are booked before 30 September 2025. Send out an email and mention this blog, and let’s discuss how to boost your organizational resilience together.
Join the GRIP! Stay informed of what’s new in all-hazards homeland security by joining the Gate 15’s Resilience and Intelligence Portal (GRIP). Join the GRIP! and join us in securing America’s people, places, data, and dollars. To join the GRIP, click the link above or here, scroll down and select the “Join the Grip!” button, or email our team at Gate15@Gate15.global.
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.